Time Sync on Azure VM's

  • 619 Views
  • Last Post 03 August 2015
ThomasVuylsteke posted this 05 June 2015

All,   I haven’t had much experience with Hyper-V based infrastructures, but now I’m working on Azure based VM’s from time to time. I guess there similarities in those. I looked into time sync a bit, and I was surprised that articles like:   ·       https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx ·       https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-directory-domain-controller/   Don’t mention anything about time sync. So I did some digging and testing, and here are my conclusions: http://setspn.blogspot.be/2015/06/synchronizing-time-on-azure-virtual.html   Do you guys agree with the following statement?   Whenever you host virtual machines in Azure that are part of a Windows Active Directory Domain, make sure to disable to VM IC Time Provider component.   Basically “do the same as you would do with Hyper-V VM’s on premises”…   Thanks in advance! Kind regards, Thomas

Order By: Standard | Newest | Votes
slavickp posted this 08 June 2015

Let me be a contrarian here. For years, Microsoft tells us to build NTDS time hierarchy with PDCe of the root domain only  synchronising time with external source. That’s what you propose to follow.
However, the real objective is to keep time in sync. I have no reasons to believe that Azure fabric does worse job in timekeeping than I will with an added layer. Also, the VM will also read time from the fabric upon boot, so it’s not like you are completely isolated from disturbance in Azure fabric.
So I think it’s also okay to sync PDCe, or indeed all systems on the domain, from the VM IC time provider. Additional precautions equally apply.
Regards
Slav
MCM-DS

show

idarryl posted this 03 August 2015

Yes.  There should be only one authoritative time source in a forest.  Domain members (potentially) not having the same time as the entity issuing the Kerberos ticket (i.e. the DC), risk experiencing authentication issues.
PS, quires of this nature would normally be deemed off topic (mainly because of the emphasis is on VM configuration), and are less likely to get a response, but if you think they are still have some merit please add OT to the subject line.
~
Darryl

show

SmitaCarneiro posted this 03 August 2015

There is a good blog by Ben Armstrong on VMs and time synching. Not at my computer right now,but for regular virtual domain controllers there is a registry key that needs to be changed. 



Sent from my iPhone


On Aug 3, 2015, at 6:52 AM, Darryl Shiels <idarryl@xxxxxxxxxxxxxxxx> wrote:









Yes.  There should be only one authoritative time source in a forest.  Domain members (potentially) not having the same time as the entity issuing the Kerberos ticket (i.e. the DC), risk experiencing authentication issues.




PS, quires of this nature would normally be deemed off topic (mainly because of the emphasis is on VM configuration), and are less likely to get a response, but if you think they are still have some merit please add OT to the subject line.












~




Darryl

show

Close